Bug #17542
closedUsername and password are not decoded if retrieved from env
Description
If someone sets an env variable defining a http_proxy (ENV['http_proxy']), containing a
username / password with percent-encoded characters, then the resulting
base64 encoded auth header will be wrong.
For example, suppose a username is Y\X
and the password is R%S] ?X
.
Properly URL encoded the proxy url would be:
http://Y%5CX:R%25S%5D%20%3FX@proxy.example:8000
The resulting proxy auth header should be: WVxYOlIlU10gP1g=
, but the
getters defined by ruby StdLib URI
return a username Y%5CX
and
password R%25S%5D%20%3FX
, resulting in WSU1Q1g6UiUyNVMlNUQlMjAlM0ZY
.
As a result the proxy will deny the request.
Please note that this is my first contribution to the ruby ecosystem, to
standard lib especially and I am not a ruby developer. I don't
understand ruby's encoding system and the code is not properly
ruby-esque. Sorry for that and a happy and healthy 2021!
The description above is taken from: https://github.com/ruby/net-http/pull/5
References: